HipChat Prompts Password Resets Following Server Hack

Group messaging platform HipChat this week prompted users to reset their passwords following a security incident involving one of its servers.

Atlassian-owned HipChat claims that a vulnerability in a popular third-party library used by HipChat.com was at fault, and that the incident affected only a server in the HipChat Cloud web tier. No other Atlassian systems or products appear to have been affected, the company says.

However, to ensure that users’ data remains secure, the company decided to invalidate passwords on all HipChat-connected user accounts. It also sent notifications to those users and provided them with details on how to reset their passwords.

The incident, HipChat Chief Security Officer Ganesh Krishnan reveals, resulted in attackers possibly accessing user account information such as name, email address and password (hashed using bcrypt with a random salt) for all instances (each of which is represented by a unique URL in the form company.hipchat.com). Room metadata such as room name and topic might have also been accessed.

In some cases, messages and content in rooms may have been accessed as well. The company says that, for more than 99.95% of instances, there was no evidence that messages or content in rooms have been accessed.

“Additionally, we have found no evidence of unauthorized access to financial and/or credit card information,” HipChat revealed.

HipChat Server uses the same third-party library, but it has been deployed in a manner that minimizes the risk of this type of attack, the company says, adding that an update will be shared to customers directly through the standard update channel.

“We are confident we have isolated the affected systems and closed any unauthorized access. To reiterate, we have found no evidence of other Atlassian systems or products being affected,” the company notes.

Atlassian continues to investigate the incident and says that it is actively working with law enforcement authorities on this matter.

Owned and operated by Atlassian Pty Ltd, HipChat is a chat platform that aims at providing business users with group chat, video chat, screen sharing and required security in a single app. It brings together services that teams might be using every day, features 256-bit SSL encryption, and also packs cloud integration and synchronization across devices.

In an emailed comment, Michael Patterson, CEO of Plixer International, pointed out to SecurityWeek that this incident once again proves that any tool a manufacturer uses can be abused for compromise.

“HipChat hashes passwords using bcrypt with a random salt, which adds a layer of security, and they reset the passwords associated with effected accounts. In this case the compromise came from a trusted 3rd party, which highlights that threat surfaces for any tool extend beyond the manufacturer themselves,” Patterson said.

He also noted that the compromise of ChatOps tools like HipChat can do a lot of harm within an organization: “ChatOps tools are used to support a DevOps and collaboration culture, meaning that teams of people as well as technology systems are dynamically connected and critical business processes can be automated. When a ChatOps tool becomes compromised, there is a high likelihood that the attacker can suddenly gain access across the most trusted and an important system a company has.”